git://git.onelab.eu
/
sfa.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
a possible rewrite for a change suggested by Loic
[sfa.git]
/
sfa
/
trust
/
credential.py
diff --git
a/sfa/trust/credential.py
b/sfa/trust/credential.py
index
ee3f732
..
e4d5e99
100644
(file)
--- a/
sfa/trust/credential.py
+++ b/
sfa/trust/credential.py
@@
-34,8
+34,7
@@
import datetime
from tempfile import mkstemp
from xml.dom.minidom import Document, parseString
from tempfile import mkstemp
from xml.dom.minidom import Document, parseString
-from sfa.util.py23 import StringType
-from sfa.util.py23 import StringIO
+from sfa.util.py23 import PY3, StringType, StringIO
HAVELXML = False
try:
HAVELXML = False
try:
@@
-579,12
+578,16
@@
class Credential(object):
f = filep
else:
f = open(filename, "w")
f = filep
else:
f = open(filename, "w")
+ if PY3 and isinstance(self.xml, bytes):
+ self.xml = self.xml.decode()
f.write(self.xml)
f.close()
def save_to_string(self, save_parents=True):
if not self.xml:
self.encode()
f.write(self.xml)
f.close()
def save_to_string(self, save_parents=True):
if not self.xml:
self.encode()
+ if PY3 and isinstance(self.xml, bytes):
+ self.xml = self.xml.decode()
return self.xml
def get_refid(self):
return self.xml
def get_refid(self):
@@
-1057,9
+1060,9
@@
class Credential(object):
message = "Delegated credential {} not signed by parent {}'s caller"\
.format(self.pretty_cred(), parent_cred.pretty_cred())
logger.error(message)
message = "Delegated credential {} not signed by parent {}'s caller"\
.format(self.pretty_cred(), parent_cred.pretty_cred())
logger.error(message)
- logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().pretty_c
red
()))
+ logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().pretty_c
ert
()))
logger.error("compare1 parent details {}".format(parent_cred.get_gid_caller().save_to_string()))
logger.error("compare1 parent details {}".format(parent_cred.get_gid_caller().save_to_string()))
- logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().pretty_cre
d
()))
+ logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().pretty_cre
rt
()))
logger.error("compare2 self details {}".format(self.get_signature().get_issuer_gid().save_to_string()))
raise CredentialNotVerifiable(message)
logger.error("compare2 self details {}".format(self.get_signature().get_issuer_gid().save_to_string()))
raise CredentialNotVerifiable(message)
@@
-1103,29
+1106,36
@@
class Credential(object):
return getattr(self,'filename',None)
def actual_caller_hrn(self):
return getattr(self,'filename',None)
def actual_caller_hrn(self):
- """a helper method used by some API calls like e.g. Allocate
+ """
+ a helper method used by some API calls like e.g. Allocate
to try and find out who really is the original caller
This admittedly is a bit of a hack, please USE IN LAST RESORT
This code uses a heuristic to identify a delegated credential
to try and find out who really is the original caller
This admittedly is a bit of a hack, please USE IN LAST RESORT
This code uses a heuristic to identify a delegated credential
- A first known restriction if for traffic that gets through a slice manager
- in this case the hrn reported is the one from the last SM in the call graph
- which is not at all what is meant here"""
+ A first known restriction if for traffic that gets through a
+ slice manager in this case the hrn reported is the one from
+ the last SM in the call graph which is not at all what is
+ meant here
+ """
- caller_hrn
= self.get_gid_caller().get_hrn(
)
- issuer_hrn
= self.get_signature().get_issuer_gid().get_hrn(
)
+ caller_hrn
, caller_type = urn_to_hrn(self.get_gid_caller().get_urn()
)
+ issuer_hrn
, issuer_type = urn_to_hrn(self.get_signature().get_issuer_gid().get_urn()
)
subject_hrn = self.get_gid_object().get_hrn()
subject_hrn = self.get_gid_object().get_hrn()
+ # if the caller is a user and the issuer is not
+ # it's probably the former
+ if caller_type == "user" and issuer_type != "user":
+ actual_caller_hrn = caller_hrn
# if we find that the caller_hrn is an immediate descendant of the issuer, then
# this seems to be a 'regular' credential
# if we find that the caller_hrn is an immediate descendant of the issuer, then
# this seems to be a 'regular' credential
- if caller_hrn.startswith(issuer_hrn):
- actual_caller_hrn
=
caller_hrn
+
el
if caller_hrn.startswith(issuer_hrn):
+ actual_caller_hrn
=
caller_hrn
# else this looks like a delegated credential, and the real caller is the issuer
else:
# else this looks like a delegated credential, and the real caller is the issuer
else:
- actual_caller_hrn
=
issuer_hrn
+ actual_caller_hrn
=
issuer_hrn
logger.info("actual_caller_hrn: caller_hrn={}, issuer_hrn={}, returning {}"
logger.info("actual_caller_hrn: caller_hrn={}, issuer_hrn={}, returning {}"
- .format(caller_hrn,
issuer_hrn,
actual_caller_hrn))
+ .format(caller_hrn,
issuer_hrn,
actual_caller_hrn))
return actual_caller_hrn
##
return actual_caller_hrn
##